fix(table): escape LIKE wildcards in $contains filter values (#3949)

lawrence3699 · waleedlatif1 · web-flow · commit d5bea5f266da · 2026-04-07T08:49:43.000-07:00
The $contains filter operator builds an ILIKE pattern but does not
escape LIKE wildcard characters (%, _) in user-provided values.

This causes incorrect, over-broad query results when the search value
contains these characters. For example, filtering with
{ name: { $contains: "100%" } } matches any row where name
contains "100" followed by anything, not just the literal "100%".

Escape %, _, and \ in the value before interpolating into the ILIKE
pattern so that they match literally.

Co-authored-by: Waleed &lt;walif6@gmail.com&gt;
Co-authored-by: lawrence3699 &lt;lawrence3699@users.noreply.github.com&gt;
diff --git a/apps/sim/lib/table/sql.ts b/apps/sim/lib/table/sql.ts
@@ -322,10 +322,15 @@ function buildComparisonClause(
   return sql`(${sql.raw(`${tableName}.data->>'${escapedField}'`)})::numeric ${sql.raw(operator)} ${value}`
 }
 
+/** Escapes LIKE/ILIKE wildcard characters so they match literally */
+function escapeLikePattern(value: string): string {
+  return value.replace(/[\\%_]/g, '\\$&')
+}
+
 /** Builds case-insensitive pattern match: `data->>'field' ILIKE '%value%'` */
 function buildContainsClause(tableName: string, field: string, value: string): SQL {
   const escapedField = field.replace(/'/g, "''")
-  return sql`${sql.raw(`${tableName}.data->>'${escapedField}'`)} ILIKE ${`%${value}%`}`
+  return sql`${sql.raw(`${tableName}.data->>'${escapedField}'`)} ILIKE ${`%${escapeLikePattern(value)}%`}`
 }
 
 /**
